A Rational Approach to Cryptographic Protocols 



p. Caballero-Gil, C. Hernandez-Goya and C Bruno-Castaneda 

^isj ■ Department of Statistics, Operations Research and Computing, 

K^ , Faculty of Mathematics, University of La Laguna, 

d \ 38271 Tenerife, Spain 

Corresponding author: pcaballe@ulLes 



Abstract 

^^ , This work initiates an analysis of several cryptographic protocols from 

Si^ ' a rational point of view using a game-theoretical approach, which allows 

[/J ' us to represent not only the protocols but also possible misbehaviours 

O . of parties. Concretely, several concepts of two-person games and of two- 
party cryptographic protocols are here combined in order to model the 
latters as the formers. One of the main advantages of analysing a crypto- 

^ . graphic protocol in the game-theory setting is the possibility of describing 

fSl ' improved and stronger cryptographic solutions because possible adver- 

QO , sarial behaviours may be taken into account directly. With those tools, 

("^ ' protocols can be studied in a malicious model in order to find equilibrium 

^^ ' conditions that make possible to protect honest parties against all possible 

w-v , strategies of adversaries. 

f**^ ' Keywords: Cryptography, Game theory. Protocols verification 

O' 

1 Introduction 

S^ ■ The verification of cryptographic protocols has become a subject of great im- 

Jh I portance with the development of communications and transactions on public 

channels like Internet. Since Cryptology may be seen as a continuous struggle 
between cryptographers and cryptanalysts, and Game Theory may be defined 
as the study of decision making in difficult situations, both fields seem to have 
certain common scenarios, so it is natural that tools from one area may be ap- 
plied in the other. In fact, the main objective of this work is to model several 
two-party cryptographic protocols as two-person games in order to introduce 
the human factor in the analysis of cryptographic protocols so that it might be 
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helpful to solve many security problems which are hard to deal with traditional 
security primitives. 

One of the first approaches that analyses the relationship between crypto- 
graphic protocols and games may be found in [1], where an application of game 
theoretic techniques to the analysis of some multiparty cryptographic protocols 
for secret exchange was provided. Later, a solution to the problem of determin- 
ing the existence of two-person games whose payoffs arc comparable to those 
obtained when a Third Trusted Party intervenes was proposed in [2]. Another 
two recent applications of modern cryptography to game theory were presented 
respectively in [3] , where it was proved that every correlated equilibrium of an 
original infinitely repeated game can be implemented through public commu- 
nication only, and in [4], where cryptographic primitives were used to provide 
correctness and privacy in distributed mechanisms. 

Several cryptographic proofs of protocols correctness based on basic fairness 
were provided in [5] , whereas in [6] various formal definitions of different versions 
of fairness were given. The idea of using game theory as a formal tool to 
model specific cryptographic protocols such as Fair and Safe Exchange, and 
Contract Signing was explored in the recent works [7] , [8] and [9] . The concept of 
rational exchange in terms of Nash equilibrium was defined in [10], where it was 
proved that fair exchange implies rational exchange but not the reverse. Another 
remarkable reference, [11], described a formal security model for fair signature 
exchange in terms of games where fairness was defined in a probabilistic way. 

Finally, the work [12] should be singled out as the main starting point of this 
work since there the concept of rationality applied to exchange was introduced. 
Such a reference also showed the close relationship between the rationality con- 
cept and the stimulation for cooperation in ad-hoc networks. 

This paper represents a preliminary step of a game-based analysis of general 
scenarios and different types of two-party cryptographic protocols. Concretely, 
here the modelling of incentives in the games and desirable conditions of the 
protocols are described. The structure of the present work is as follows. Section 
2 introduces briefiy notations and definitions of several game theoretic notions 
that are used throughout the paper. Then Section 3 provides a basic background 
on two-party cryptographic protocols. In Sections 4 and 5 a theoretic game 
model is used to describe and analyse respectively symmetric and asymmetric 
two-party protocols. Finally, conclusions of the work and comments on further 
investigation are drawn in Section 6. 

2 Notations and Definitions 

If a group P of parties or players i agree to obey certain rules and to act individ- 
ually or in coalition, the results of their joint action lead to certain situations 
called outcomes. In such conditions, a game G defines the set of rules that 
specify a sequence of actions aeQ allowed to the parties. 



Concretely, the rules of the ganie specify what amount of information about 
all the previous actions and the alternatives that have been chosen can be given 
to each party before making an specific choice. The game also specifies a termi- 
nation when some specific sequences of choices are made and no more actions 
are allowed. Each termination produces an outcome in the form of scores or 
incomes j/^, and payments or expenses y~ for each party. It is assumed that 
each party i has a preference relation <i over the outcomes reflected in his/her 
scores and payments. 

A finite action sequence q is said to be terminal if it is infinite or if there is 
no action a such that q is followed by a. The set Z of terminal action sequences 
represents all the possible outcomes of the game. The real-valued function 
2/(9) — {'yi{'l))ieP that assigns the payoffs for every party i after every terminal 
action sequence qeZ is called outcome or payoff function. These payoff values 
may be negative, in which case they are interpreted as losses. Also these payoffs 
may verify that X^ieP Viil) ^ ^ ^^^ ^^y 1 ^ Z , in which case the game is called 
zero-sum. 

The preference relations of the parties arc often represented in terms of their 
payoffs in such a way that for any q^q'eZ and zeP, q <i q' iff yi{q) < yi{q')- 
On the other hand, the so called utility function Ui is just a mathematical 
representation of i's preferences. 

A strategy of party ieP is a function sieSi that assigns an action which is 
available after q for party i, to every non-terminal action sequence qeQ\Z such 
that i is the following party in choosing an action after q. A strategy profile is 
a vector {si)i^p of strategies, where each s^ is a member of 5*^. The notation 
{sj, isi)i^p\j) is used to emphasise that the strategy profile specifies strategy Sj 
for party j. Finally, let o{{si)igp) denote the resulting outcome when the parties 
follow the strategies in the strategy profile {si)iep- 

A strategy profile {s*i)iep is called a Nash equilibrium iff for every party 
jeP we have that o{sj, {s*)iep\j) <j o(s*, {s*)iep\j)- This means that if every 
party i other than j follows strategy s* , then party j is also motivated to follow 
strategy s*. So, in Nash equilibrium the choices depend on the other's possible 
strategies. 

3 Cryptographic Protocols Concepts 

A two-party cryptographic protocol may be defined as the specification of an 
agreed set of rules on the computations and communications that need to be per- 
formed by two entities, A (Alice) and B (Bob), over a communication network, 
in order to accomplish some mutually desirable goal, which is usually some- 
thing more than simple secrecy. Several essential properties of cryptographic 
protocols are the following: 

1. Correctness, which guarantees that every honest party should get his/her 
agreed output. 



2. Privacy, which includes the protection of every party' secrets. 

3. Fairness, which means that if a dishonest party exists, then neither he/she 
may gain anything valuable, nor honest party may lose anything valuable. 

In the game-theoretic model two new properties regarding dishonest be- 
haviours can be defined 

1. Exclusiveness, which implies that one or both parties cannot receive their 
agreed output. 

2. Voyeurism, which is the contrary of privacy because it implies that one or 
both parties may discover the other's secret. 

Note that the previous definition of fairness agrees with the rationality con- 
cept described in [10] because fairness here is a property which is understood 
more practical than theoretical. In other words, protocols are here defined ac- 
cording to their practical security against any kind of adversaries. 

It is assumed that at each step a party receives the message that was sent 
by the other party at the previous step, performs some private computation 
and sends some message (possibly none) to the other party. So, a two-party 
cryptographic protocol may be seen as a repeated game formed by a sequence 
of iterations of the following two communication phases: 

l)Send: Party A (B) sends to B (A) a message M generated depending on 
her (his) state. 

2)Rcccivc: Party A (B) receives from B (A) a message M and makes a state 
transition. 

Thus, we are implicitly assuming that the system is synchronous (parties 
know the time and must decide what message to send in each round before re- 
ceiving any message sent to them in that round), communication is guaranteed, 
and messages take exactly one round to arrive. These assumptions are critical 
to the correctness of the protocols. Also, for the sake of simplicity, in this paper 
the non-intentional loss of control over message M is considered as a delivery, 
so rcvA{M) {rcvB{M)) denotes both the cases when party B{A) sends message 
M to A{B), and when A{B) is able to receive it. 

In order to formalise the notion of cryptographic protocols in terms of func- 
tions, we denote by / a two-argument finite function, / : Xa x Xb -^YAy.YB 
where Xi and Yi, ie{A, B}, represent respectively input and output sets for party 
i. Intuitively, a two-party cryptographic protocol may be generally described 
through a two-variable function / whose output is defined by the expression 
/{Ma, Mb) = {fA{MA, Mb), fB{MA, Mb)), where it is understood that party 
i receives the output of /, on inputs Ma and Mb ■ 

As aforementioned, two-party cryptographic protocols include a series of 
message exchanges between both parties over a communication network. So, 
the possibility always exists that one or both parties will cheat to gain some 



advantage or that some external agent will interfere with normal communica- 
tions. The simplest situation occurs when each party functions asynchronously 
from the other party and makes inferences by combining a priori knowledge with 
properties of the received messages, determining information that is not imme- 
diately apparent, so such inferences must be taken into account in determining 
security. In a worst case analysis of a protocol, one must assume that any party 
may try to subvert the protocol. So, when designing a two-party cryptographic 
protocol one of two possible models should be considered: 

• Semi-honest model: When it is assumed that the protocol is cooperative 
and both parties follow the protocol properly in such a way that they help 
each other to compute fi{MA, Mb), but curious parties may keep a record 
of all the information received during the execution and use it to make a 
later attack. 

• Malicious model: Where it is assumed that parties may deviate from 
the protocol. In this case, during the interaction, each party acts non 
cooperatively and has different choices which may determine the output 
of the protocol. 

We are interested in obtaining guarantees provided by the definition of the 
protocols when one of both parties misbehaves in an arbitrary way. Conse- 
quently, this work is conducted within the malicious model where it is assumed 
that either A or B docs not follow the protocol properly. In such a model the se- 
curity of a cryptographic protocol should refer to its ability to withstand attacks 
by certain types of cheaters or enemies, in such a way that essential properties 
such as correctness, privacy and fairness hold despite such possible attacks. So, 
the main interest of this work will be the description of honest strategy profiles 
for every analysed protocol such that whenever the strategy of some party is 
honest, the other party has no incentive to deviate from the protocol, which is 
closely related to Nash equilibrium conditions. 

Apparently, any two-party cryptographic protocols might be best modelled 
with a zero-sum game because every situation that is dishonestly advantageous 
for a party should be disadvantageous for the other. In fact this is not the 
case of many protocols. In general, most two-party cryptographic protocols are 
represented by non-positive sum games (i.e. games in which the sum of the 
payoffs of the players is always less than or equal to 0). Those games in which 
the sum of the payoffs can be positive should be generally discarded because 
they imply that both parties could agree on behaving dishonestly and receive 
positive payoffs. 

In particular, the payoff yi{q) of a party i, assigned after a terminal action 
sequence q may defined as yi{q) = y^iiq) — y^iiq), where y^i{q) and y^ iiq) 
represent respectively the incomes and expenses of i after q. These incomes and 
expenses functions will be defined in terms of utilities according to the concrete 
definitions of each protocol. Here the utility that a secret Mj is worth to party i 



is denoted by Uij — Ui{Mj), value which may be difBcuh to quantify in practical 
situations. 

A two-party cryptographic protocol is said to be closed when if a party gains 
something, then the other party must lose something. This property may be 
expressed in terms of the incomes and expenses functions in the following way: 
VgeZ, y+j((;) > => y~ jil) > 0. Note that in this work the closeness of the 
protocols is assumed since in the definition of the payoff function we always 
consider both the wish of one party to know the other's secret and the wish of 
the other party to prevent that from happening. 

According to the aforementioned functional definition of a two-party crypto- 
graphic protocol /, at the end of the execution, party i should receive the output 
of fi on secrets Ma and Mb- Depending on whether /a = fs we may distin- 
guish between symmetric and asymmetric protocols. From the first group, in the 
next sections we will study the protocols of Fair Exchange, Secure Two-Party 
Computation and Coin Flipping. On the other hand, representative protocols 
of the group of asymmetric protocols are Oblivious Transfer, Bit Commitment 
and Zero Knowledge Proof. This classification is important for the proposed 
game theoretic model because it implies the translation to a symmetric game 
where possible payoffs and outputs of both parties coincide, or to asymmetric 
games where that does not occur. 

In the following sections several symmetric and asymmetric protocols are 
analysed according to a game-theoretic model. For every analysed protocol we 
define income, expense and payoff functions for each party in every possible 
combination of behaviours and misbehaviours of parties, and make rather min- 
imal assumptions about several matters such as the preferences of the parties 
in order to guarantee the existence of a honest strategy profile being a Nash 
equilibrium. Although the possibility of misbehaviours by both parties is here 
considered, in this paper we analyse specially the case when exactly one of them 
is dishonest. Note that if this assumption is not fulfilled, there might be some 
dishonest strategy that dominates the corresponding honest strategy, and in 
such conditions rational parties would be consequently dishonest. 

4 Symmetric Protocols 

4.1 Fair Exchange 

Fair Exchange is a cryptographic protocol for exchanging secrets Ma and Mb 
between two parties A and B so that if A behaves correctly, then party B cannot 
get A's secret {Ma) unless A gets B's secret (Mb), and vice versa. According 
to this definition, possible descriptions of non-null values of the incomes and 
expenses functions y~^^ and j/~j are the following: 

y^iil) =Ui] ''iircVi{Mj) 

y^iiq) = Uii iircVj{Mi). 



Note that if no assumptions or preferences of parties are made, rational 
parties will simply not send their secrets since this strategy weakly dominates 
sending the secret. However, since the parties' objective in this protocol is to 
obtain each other's secret, we are only interested in the states of the protocol 
tree where A possesses B's secret and the ones where B possesses ^'s secret. 
So, one property that utility Uij should verify in order to avoid a possible coali- 
tion between two dishonest parties is the following: Uij > uu > 0, Vi, je{A, i?}. 
For example, such utilities might reflect the interests of both parties to partic- 
ipate cooperatively if the protocol is run correctly. In this way, parties value 
correctness over privacy, and the payoff yi (q) of party i can take only four pos- 
sible values: —ua < < Uij — uu < Uij corresponding respectively to the 
four possible terminal action sequence when rev j (Mi) <i rcvi{^) A rcvj{%) <i 
rcvi{Mj) ArcVj{Mi) <i rcvi{Mj). 

Fairness property ensures that if i is honest, then the other party j cannot 
get I's secret unless i gets j's secret. So, in terms of incomes and expenses 
functions we have that if i's strategy s* is honest, then for every strategy of 
j, sf if y+{o{s*,Sj)) = Uj, => y+(o(s*, Sj)) = u^. 

So, it may be stated that in a rational fair exchange protocol where both 
parties have incentives to send their secrets, honest strategies are Nash equi- 
librium because if one party follows a honest strategy, then the other party is 
also motivated to behave honestly because he/she loses or at least does not gain 
anything by not doing so. 

Examples of fair exchange include Contract Signing and Certified Mail proto- 
cols [13]. In the former, both parties A and B want to exchange simultaneously 
signed contracts in such a way that none of them can obtain the signature of 
the other without having signed the contract and that none of them can repu- 
diate his or her own signature. On the other hand, in Certified Mail A wants to 
send a mail Ma to B so that B can read the mail Ma if and only if A receives 
the corresponding return receipt Mb ■ Consequently, a conclusion similar to the 
obtained for fair exchange may be extracted for both cases of contract signing 
and certified mail protocols. 

4.2 Secure Two-Party Computation 

The general protocol known as Secure Two-Party Computation allows that two 
parties A and B with secret inputs Ma and Mb to evaluate a common value 
fA{MA,MB) = fB{MA,MB)) = g{MA,MB) = 5 in a manner where neither 
party learns more than necessary. This protocol is the two-party version of the 
multiparty protocol known as Secure Function Evaluation. There are various 
definitions and models for Secure Two-Party Computation [14] and indeed the 
above definition describes just one of them. For example, one might consider 
an asymmetric version where only A receives the output. However, this work 
deals with this symmetric version where both parties learn the value g. 



A possible description of the incomes and expenses functions y+j and y^ ^ 
that verifies the previous definition is as follows, where k > \: 

{Uij if rcvi{Mj) 

kui{g) if rcv^ig) 

u,,+ku,{g) if rcv,{Mj,g) 
otherwise 

{Uii if rcVj{Mi) 

uu + u,{g) if rcv,{M„g) 
otherwise 

A serious problem of this protocol arises when there is no way to force a party 
to use his/her correct input. So, according to privacy property, and in order to 
avoid a possible coalition between dishonest parties, we there should be assumed 
that the following inequality holds: Ui{g) < Uij < kui{g) < Uii,\/i,jeA, B which 
implies that: exclusiveness <i voyeurism <i correctness <i privacy. 

If the utility of glMA.Ms) is the same for both parties, u = UA{g) = 
usig), the payoff yi(g) of party i may take the following sixteen possible values: 
—u — Uii < —Uii < Uij — Uii — u < (fc — 1)m — uii < ku — un < —u, Uij — ua, [k — 
\)u + Uij — Uii < 0, fcu + Uij — Uii < Uij — u < Uij, (k — l)u < ku < (k — l)u + 
uij < ku + Uij corresponding respectively to the sixteen possible terminal action 
sequence when rcVj{g,Mi) <i rcVj{Mi) <i rcVj{g,Mi) A rcVi{Mj) <i rcVi{g)A 
rcVj{g,Mi) <i rcVj{Mi) f\rcvi{g) <i rcVj{g),rcVj{Mi) ArcVi{Mj), rcVj{g,Mi)A 
rcVi{g,Mj) <i rcVi{$)ArcVj{^), rcvi{g, Mj) ArcVj{Mi) <i rcVi{Mj)ArcVj{g) <i 
rcvi{Mj),rcvi{g) Arcvj{g) <i rcvi{g) <i rcVi{g,Mj) ArcVj{g) <i rcVi{g,Mj). 

A rational secure two-party computation protocol ensures that no party 
receive the other party's secret and that if party i is honest, then the other 
party j cannot get g{MA,MB) unless i gets it. So, in terms of incomes and 
expenses functions we have that if i's strategy s* is honest, then for every 
strategy of j, sf if y+(o(s*,Sj)) = kuj{g) => y+{o{s*,Sj)) = ku^{g), and 
if y^{o{s*,Sj)) — Uji + kuj{g) => yt{o{s*,Sj)) = Uij + kui{g). So, in rational 
secure two-party computation protocol, honest strategies hold Nash equilibrium 
conditions. 

4.3 Coin Flipping 

Coin flipping protocols are used where two parties A and B want to generate 
jointly a common random binary sequence M. According to this definition, 
possible descriptions of non-null additive values of the incomes and expenses 
functions y+j and y~ i are the following, where fc > 1: 

y^iiq) = Ui{M) if M is selected by i 

y+ ^{q) = ku,{M) iircv,{M) 

y~i{q) = kui{M) if M is selected by j 

y-,iq)=MM) iircVjiM). 



In this way, according to preferences of parties, correctness and voyeurism are 
valued over exclusiveness and privacy, and the payoff yi{q) of party i can take five 
possible values: —kui{M) < —Ui{M) < < Ui{M) < kui{M) corresponding 
respectively to the five possible terminal action sequence when M is selected by 
j <i rcVj{M) <i rcVj{M) A rcvi{M) <i M is selected by i <i rcVi{M) 

Again fairness property ensures that either both parties get the agreed out- 
come or neither does, so if party i is honest, then the other party j cannot get 
the randomly generated sequence M before. So, in terms of incomes and ex- 
penses functions we have that if i's strategy s* is honest, then for every strategy 
of j,Sj, ii yj'{o{s*,Sj)) = kuj{M) ^ 2/j^(o(s*, s^)) = kui{M). Consequently, 
honest strategies in rational coin flipping protocols are Nash equilibrium. 

5 Asymmetric Protocols 

5.1 Oblivious Transfer 

A major component in the construction of Secure Two-Party Computation pro- 
tocols is the Oblivious Transfer protocol since it has been proved that a Secure 
Two-Party Computation can be always built using calls to an Oblivious Transfer 
protocol [15]. So, the term Oblivious Transfer refers usually to several different 
versions of asymmetric Secure Two-Party Computation protocols, all of which 
turned out to be equivalent. However, the definition that will be used in this 
work is the following. An Oblivious Transfer may be defined as a protocol whose 
goal is to enable one party A to transfer a secret to another party B in such a 
way that the information is transferred with a probability 1/2, and when con- 
cluding the protocol B knows with absolute certainty whether he has got the 
secret or not, but A does not know it. 

Possible descriptions of additive incomes and expenses functions y+j and 
j/^j are the following, where fc > 1: 

y-^iq) = ua{M) and y+ eiq) = ub{M) if rcveiM) 

y+j^{q) = kuA{M) and y^ g{M) = [k + 1)ub{M) if A knows whether 
rcvsiM) or not. 

If no assumption is made on A' interest to participate in a correct protocol, 
then there may be a problem because a rational party A would simply not 
send her secret. Consequently, the described model implies that party A should 
value voyeurism over exclusiveness, whereas party B should value privacy over 
correctness. On the one hand, the payoff functions of party A can take the 
following four values: —ua{M) < (fc — \)ua{M) < < kuA{M) corresponding 
respectively to the four possible terminal action sequence when rcvB{M) <j 
rcvB{M) A A knows it <i rcvB{^) <i rcvsi^) A A knows it. On the other 
hand, the payoff functions of party B can take the following four values: {—k — 
1)ub{M) < —kusiM) < < ub{M) corresponding respectively to the four 
possible terminal action sequence when rcvsi^) ^ ^ knows it <i rcvsiM) A A 



knows it <i rcvB{9) <i rcvB{M). 

A rational oblivious transfer ensures that if party B is honest, A cannot 
know whether B received the secret or not, and if party A is honest, B receives 
the secret with probability 1/2. So, in terms of incomes and expenses functions 
we have that if _B's strategy s*^ is honest, then for every strategy of A, sa'- 
if y\{o{s*g,SA)) = kuA{M) =^ y+{o{s*g,SA)) = ub{M), so sa is not a good 
strategy for A. From the above it may be stated that honest strategies in 
rational oblivious transfer hold Nash equilibrium conditions. 

5.2 Bit Commitment 

The goal pursued by this two party protocol is twofold: first A transfers infor- 
mation to B that can not be changed for her (unalterability property) and such 
information can not be accessed by B until the end of the protocol is reached (il- 
legibility property) . Originally the aforementioned information consists of only 
one bit. 

When defining utility function the possible frauds should be taken into ac- 
count for both participants. So, in this case B would obtain the bit before 
opening the commitment, A could also modify the content of the original com- 
mitment while the protocol's development. The expenses and incomes of each 
participants are the following where fc > 1: 

j/^(g) = k ■ ua{M), yg — ub{M), if rcvB{M)) before the opening stage 

y\{q) = UA{M),yg = k ■ ub{m), if A modifies M 

According to the previous values, the payoff for each party has the values 0, 
—k ■ Ui{M), Ui{M) and (1 — fc) • Ui{M),i S {A, B}. From these utility functions 
it can be deduced that the honest behaviour of party A implies _B 'honesty, 
since the other possibilities convey non positive payoffs. Again honest strategies 
have Nash equilibrium associated. Furthermore it can be deduced that party A 
associate a bigger weight to privacy property than to exclusiveness. On the other 
hand, -B's preferences single out correctness property compared to voyeurism. 

5.3 Zero-Knowledge Proofs 

A zero-knowledge protocol allows party A to convince B that she knows some 
information but without leaking anything about the secret. The two dishonest 
possibilities considered are: party A does not know the secret or party B gets 
the secret, so the corresponding expenses and incomes are 
2/1 ^ k ■ UA{M),y+ = UBiM), a rcvBiM) 

y\ = UA{M),yg — fc • ub{M) when A does not know the secret 
The payoff deduced from those values are 0,Wi(M) and — fc • Ui{M),i S 
{A,B}. Hence, Nash's equilibrium forces both participants to be honest. Ac- 
cording to the previous model, party A should value privacy over exclusiveness 
while for party B, correctness outweighs voyeurism. 
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6 Conclusions 

This paper addresses an emergent issue in security: the synergy between secu- 
rity protocols and game theory mechanisms. In particular, the study of several 
two-party protocols in a game-theoretic model is here initiated, by giving for- 
mal definitions of payoffs for each party and ranking properties of exclusiveness, 
voyeurism, correctness and privacy. This work deals with the idea of modelling 
cryptographic protocols design as the search of an equilibrium in order to de- 
fend honest parties against all possible strategies of malicious parties. So, our 
first objective has been to illustrate the close connection between protocols and 
games and to use game theoretic techniques for the definition and analysis of 
cryptographic protocols so that this model might be used to build more effective 
and efficient security protocols. 

Two subjects that are being object of work in progress are the generalization 
of the game-theoretic approach followed in this work to multiparty cryptographic 
protocols, and the analysis of the relationship between properties like fairness 
and different game theoretic concepts, such as dominant strategic equilibrium. 
Finally, one direction for further investigation involves the study of the possi- 
bility of describing two-party protocols as sequential games instead of repeated 
games, which might be more convenient in many cases. 

References 

[I] Fischer, M., Wright, R., An Application of Game- Theoretic Techniques to 
Cryptography, Advances in Computational Complexity Theory, DIMACS 
Series in Discrete Mathematics and Theoretical Computer Science Volume 
13, American Mathematical Society, 99-118 (1993). 

[2] Dodis,Y., Halevi,S., Rabin, T., A cryptographic solution to a game theo- 
retic problem. Proceedings of CRYPTO'2000, Lecture Notes in Computer 
Science 1880, Springer, 112-131 (2000). 

[3] Gossner, O., Repeated games played by cryptographically sophisticated 
players, Technical Report Paper 9836, Catholique de Louvain- Center for 
Operations Research and Economics (1999). 

[4] Brandt, F., Sandholm, T., Correctness and Pricvacy in Distributed Mecha- 
nisms. Proceedings of the Agent-Mediated Electronic Commerce Workshop, 
New York (2004). 

[5] Garay,J.A., Jakobsson,M., MacKenzie, P.D., Abuse-Free Optimistic Con- 
tract Signing, Proceedings of CRYPTO'99, Lecture Notes in Computer 
Science 1666, Springer, 449-466 (2000). 



11 



[6] Buttyan, L., Hubaux, J., Toward a formal model of fair exchange - a game 
theoretic approach, Technical Report EPFL SSC/1999/039, Laboratory of 
Computer Communications and Applications, Swiss Federal Institute of 
Technology - Lausanne (1999). 

[7] Krcmer, S., Raskin, J.F., Game analysis of abuse-free contract signing. 
Computer Security Foundations Workshop, Canada (2002). 

[8] Sandholm, T., Wang, X., (Im)possibility of Safe Exchange Mechanism De- 
sign. Proceedings of National Conference on Artificial Intelligence, 338-344 
(2002). 

[9] Chadha,R., Mitchell, J. C, Scedrov,A., Shmatikov, V., Contract signing, 
optimism and advantage. Proceedings of CONCUR2003, Lecture Notes in 
Computer Science 2761, Springer- Verlag, 366-382 (2003). 

[10] Buttyan, L., Hubaux, J., Rational Exchange - A Formal Model Based 
on Game Theory, 2nd International Workshop on Electronic Commerce, 
Heidelberg, Germany, 16-17 (2001). 

[11] Asokan,N., Shoup,V., Waidner, M., Optimistic fair exchange of digital sig- 
natures, IEEE Journal on Selected Areas in Communications, 18(4), 593- 
610 (2000). 

[12] Buttyan, L., Ph.D. Thesis, Building Blocks for Secure Services: Authen- 
ticated Key Transport and Rational Exchange Protocols. Laboratory of 
Computer Communications and Applications, Swiss Federal Institute of 
Technology - Lausanne (2002). 

[13] Even, S., Goldrcich, O., Lempel, A., A randomizacd protocol for signing 
contract. Communications of the ACM, 28 (6): 637-647 (1985). 

[14] Goldreich, O., Foundations of Cryptography - Volume 2 (2002). 
www.wisdom.weizmann.ac.il/odcd/foc-vol2.html 

[15] Rabin, M., How to excahnge secrets by oblivious transfer. Technical Report 
TR-81, Harvard (1981). 



12 



